ON THIS PAGE
Known Behavior and Issues
Known Behavior
-
Unified policies are supported. Legacy application security policies are not supported.
-
Global address book is supported. Zone address book is not supported.
-
When you import a policy that has rules with unsupported configuration, Juniper Security Director Cloud shows those rules information under Summary on import wizard. After importing, these rules with unsupported configurations are grayed out and shown with a disabled icon to differentiate between system-disabled rules and a rule disabled by user. The Rule description also shows the reason for disabling these rules.
You cannot delete, edit, or perform any rule actions on these unsupported rules.
-
Juniper Security Director Cloud overwrites the user configuration performed directly from the device CLI or any other interface other than the portal.
To avoid conflicts, you can import the configurations and re-assign the devices from existing policies.
Known Issues
Juniper Security Director Cloud
- Image installation fails for an image that is stored in Amazon Web Services (AWS)
setup with low bandwidth device links.
Workaround:
-
You can add the images from the SRX>Device Management>Software Images page, and deploy the images for the device.
-
Try a manual CLI command execution on the device.
-
- The security policy import and deploy might fail if any hidden commands are available
in SRX Series Firewall due to old version incompatibility, for example, content security
configuration, and security policy.
Workaround:
Delete any hidden or undocumented commands from SRX Series Firewalls, import the policy configuration again to Juniper Security Director Cloud, and then deploy the security policy.
- With
SMB protocol option in pre-defined AAMW profile, commit is failing for devices with
version prior to Junos OS release 21.1.
Workaround:
Clone the default AAMW profile and disable the SMB protocol. Use the cloned profile in the Security Policy or global options.
-
While upgrading a device (through software image) to Junos OS 21.1 and above, an error ISSU is not supported for Clock Synchronization (SyncE) is shown.
Workaround:
Upgrade the cluster from CLI with the workaround provided in https://prsearch.juniper.net/problemreport/PR1632810.
-
When importing a security policy, a dynamic-address type is shown with two different names: address and Dynamic-address.
-
After the security log configuration is pushed to device, the session on port 6514 does not get established immediately. The security and session log takes more than 10 minutes to appear in the Juniper Security Director Cloud UI. This behavior can be sporadically seen after onboarding the device or after consecutive re-negotiation of TLS connection from the device.
Workaround:
Use the following steps to change the security log stream to the host IP address to receive the security logs.
-
View the DNS hostname information:
For Home PoP Virginia, view the DNS hostname using show host srx.sdcloud.juniperclouds.net
Example output:
srx.sdcloud.juniperclouds.net has address 10.1.23.1
For Home PoP Ohio, view the DNS hostname using show host srx.jsec2-ohio.juniperclouds.net
Example output:
srx.jsec2-ohio.juniperclouds.net has address 192.168.1.1
Update the security log stream sd-cloud-logs to the IP address of respective Home PoP.
For example, if a device is onboarded in a organization with Home PoP as Virginia, then use set security log stream sd-cloud-logs host 10.1.23.1
-
-
For existing devices in Juniper Security Director Cloud with Home PoP as Virginia, the security logs are not seen in the UI. This behavior is observed if IP address is used in the security log configuration to reach Juniper Security Director Cloud.
Workaround
-
Disable and enable the security log configuration from the UI using the following steps:
Go to SRX > Device Management >Devices and click on Security Logs Configuration.
From the Group by field, select All.
Select the device and make a note of Source Interface value.
Click the edit icon, disable the toggle for Security Log Status, and click the click √ (check mark) to save your changes.
Click OK. A deploy job is triggered to disable the security log configuration.
Go to SRX > Device Management >Devices and click on Security Logs Configuration.
From the Group by field, select All.
Select the device, click the edit icon and select the interface value that was noted in Step 3.
Enable the toggle for Security Log Status, and click the click √ (check mark) to save your changes.
Click OK. A deploy job is triggered to enable the security log configuration.
The device renegotiates the security log connection using the above steps. You should be able to view the security log in the UI.
-
If you are unable to view the security logs using the above steps, then use the following steps to change security log configuration to point to IP address:
-
View the DNS hostname for Home PoP Virginia using the show host srx.sdcloud.juniperclouds.net command.
Example output:
srx.sdcloud.juniperclouds.net has address 10.1.23.1
Update the security log stream sd-cloud-logs to the IP address of respective Home PoP.
set security log stream sd-cloud-logs host 10.1.23.1
-
-
-
Juniper Security Director Cloud is unable to show the following logs for SRX Series Firewall with Junos OS version 21.4 R3-S3.4 and later versions.
-
Web filtering logs
-
RT_FLOW logs
-
Content security logs
-
Secure Edge
-
A few CASB applications that support third-party authentications fail to detect login activities correctly. Activities such as download, upload, and share, are detected. For example, the Box application allows you to login using Google credentials, but the activity is detected as Google (Google Docs) login rather than Box login.
-
Denying Google Docs application login also blocks access to other Google applications such as Gmail, Google Drive, and so on.
-
If a non-administrator user launches the JIMS Collector user interface (UI), the status of the Enforcement Points are not updated. The status always shows "Inactive" in the Monitor > Enforcement Points page in the JIMS Collector UI.
-
When authenticated by Hosted DB, end users with disabled accounts are not notified that their account has been disabled. The end-user account was either disabled by the administrator or automatically disabled after five consecutive failed authentication attempts.
Workaround: End users can contact their administrator to unlock their account.
-
When you create an IPsec tunnel from a site to Secure Edge, the tunnel configuration status on the UI displays a “tunnel_status_undefined” message instead of an “in progress” message.
Workaround: The status updates when the tunnel creation process is complete – typically in about <10> minutes.
-
The LDAP configuration may display a blank error screen when incorrect information is entered .
Workaround: The administrator will need to reenter the correct LDAP values.
-
A few CASB applications and activities are not identified by the browser.
Workaround: Disable the HTTP over QUIC in your browser settings to use the SSL proxy.
-
Steps to disable HTTP over QUIC in Firefox:
In the address bar, enter about:config.
In the Search preference name box, enter network.http.http3.enable and change the toggle to False.
Repeat the above step for network.http.http3.enable and change the toggle to False.
Clear the browser cookies and restart the browser.
-
Steps to disable HTTP over QUIC in Chrome:
In the address bar, enter chrome://flags/.
In the Search flags box, enter Experimental QUIC protocol and select Disabled from the drop-down menu.
Clear the browser cookies and restart the browser.
-